Hi, I've deployed FIM CM on a very large Active directory (250000+ users) everything has been delegated correctly and I am having two problems when looking up users for smartcard enrollment. All normal usernames are based on the following standards: Standard Accounts: Abcd123 Service Accounts: svc123 Admin Accounts: adm123 When I try to lookup users based on "abc" i get an 'ADSDSOOBject' Failed with no error message available, result code: -2147016669(0x80072023). I can however successfully search for service and admin accounts. Then I try to do a lookup of the actual login Name i.e. abcd321 i get the following error: "value does not fall within the expected range" Can anyone please help

Hi Everyone, We have managed to resolve both problems. Thanks for everyone involved in assisting us. Here are both problems listed with both solutions: 1. 'ADSDSOObject' Failed with no error message available, result code: -2147016669(0x80072023). This error code simply means that the search scope you are trying to read is too large. Plainly your result set is too large; add additional search parameters to limit the search scope. By default AD has a search scope limit for queries and the amount of AD objects a FIM CM search can return is limited by these same limits (to my knowledge it is 1000 objects). Unfortunately this value cannot be increased in FIM CM. 2. “value does not fall within the expected range” error In short this error occurs because Authorization Agent account does not have sufficient rights. Check that the account is part of the “Pre-Windows 2000 Compatible Access” Group and that the group rights are not applied differently across the Active Directory. Our problem stemmed from the fact that a set of OU’s had the permission for the group altered from the initially delegated permission. So if you get this error on a user, you can be sure that there is a permissions issue on the OU where they are located. Additional notes: If you have a large amount of users and groups, be sure add your subscribers group to the CLM.RequestSecurity.Groups key in the Web.config file. I hope this helps someone out there.